b"Give\n  VA Office of Inspector General\n                                   OFFICE OF AUDITS & EVALUATIONS\n\n\n\n                                                                     Department of \n\n                                                                    Veterans Affairs \n\n                                                                      Federal Information \n\n                                                                     Security Management \n\n                                                                         Act Audit for \n\n                                                                       Fiscal Year 2012 \n\n\n\n\n\n                                                                                         June 27, 2013\n                                                                                          12-01712-229 \n\n\x0c              ACRONYMS AND ABBREVIATIONS \n\n\nCRISP        Continuous Readiness in Information Security Program\nDHS          Department of Homeland Security\nFISMA        Federal Information Security Management Act\nNIST         National Institute of Standards and Technology\nOIG          Office of Inspector General\nOMB          Office of Management and Budget\nPOA&M        Plan of Action and Milestones\n\n\n\n\n        To Report Suspected Wrongdoing in VA Programs and Operations: \n\n                            Telephone: 1-800-488-8244 \n\n                            Email: vaoighotline@va.gov\n\n                  (Hotline Information: www.va.gov/oig/hotline) \n\n\x0c    Department of\n    Veterans Affairs\n                                                       Memorandum\nDate:   June 18, 2013\n\nFrom:   Assistant Inspector General for Audits and Evaluations\n\nSubj:   Final Report: VA\xe2\x80\x99s Federal Information Security Management Act Audit for FY 2012\n\n  To:   Acting Assistant Secretary for Information and Technology\n\n        1.\t Enclosed is the final audit report, Federal Information Security Management Act\n            Audit for FY 2012. The Office of Inspector General (OIG) contracted with the\n            independent public accounting firm, CliftonLarsonAllen LLP, to assess the\n            Department of Veterans Affairs\xe2\x80\x99 (referred to herein as the Department) information\n            security program in accordance with the Federal Information Security Management\n            Act (FISMA).\n        2.\t To ensure the adequacy and effectiveness of information security controls, FISMA\n            requires agency program officials, Chief Information Officers, and Inspectors General\n            to annually review the agency\xe2\x80\x99s information security program and report the results to\n            the Department of Homeland Security (DHS). DHS uses this data to assist in its\n            oversight responsibilities and to prepare an annual report to Congress on agency\n            compliance with FISMA.\n        3.\t The Department continues to face significant challenges in complying with the\n            requirements of FISMA due to the nature and maturity of its information security\n            program. In order to better achieve FISMA outcomes, the Department needs to focus\n            on several key areas including:\n           \xef\x82\xb7\t Addressing security-related issues that contributed to the information technology\n              material weakness reported in the FY 2012 audit of the Department\xe2\x80\x99s\n              consolidated financial statements, including expediting implementation plans for\n              corrective actions needed to effectively address the recommendations made in this\n              report.\n           \xef\x82\xb7\t Successfully remediating high-risk system security issues in its Plans of Action\n              and Milestones, and use that process to improve VA\xe2\x80\x99s information security\n              posture.\n           \xef\x82\xb7\t Establishing effective processes for evaluating information security controls via\n              continuous monitoring and vulnerability assessments.\n        4.\t CliftonLarsonAllen LLP was contracted to perform the FISMA audit and is\n            responsible for the findings and recommendations included in the attached draft\n            report dated June 2013. The OIG does not express an opinion on the effectiveness of\n            the Department\xe2\x80\x99s internal controls during FY 2012.\n\n\n\n                                                                                                 i\n\x0c5.\t This report provides 32 recommendations for improving VA\xe2\x80\x99s information security\n    program; 27 recommendations are included in the report body and\n    5 recommendations are provided in Appendix A. The Appendix addresses the\n    status of prior year recommendations not included in the report body and VA\xe2\x80\x99s\n    plans for corrective action. During FY 2012, two recommendations were\n    administratively closed because VA\xe2\x80\x99s corrective actions successfully addressed the\n    underlying risks; a third recommendation was closed because it was superseded by\n    a more current recommendation. Some recommendations have been modified to\n    reflect new security risks identified during this year\xe2\x80\x99s audit.\n6.\t As part of this year\xe2\x80\x99s audit, CliftonLarsonAllen LLP examined whether the\n    Department\xe2\x80\x99s corrective actions successfully addressed the outstanding\n    recommendations. Some recommendations were not closed because relevant\n    information security policies and procedures were not finalized or information\n    security control deficiencies were repeated or newly identified during the\n    FY 2012 FISMA audit.\n7.\t We remain concerned that the presented implementation plan in your official\n    comments, contains milestones for completion well into FY 2014, for the following\n    areas:\n   \xef\x82\xb7\t Agency-wide risk management program (recommendation 5)\n   \xef\x82\xb7\t Identity management and access control (recommendations 7, 9, and 10)\n   \xef\x82\xb7\t Configuration management controls (recommendation 12)\n   \xef\x82\xb7\t System development / change management controls (recommendation 15)\n   \xef\x82\xb7\t Incident response (recommendation 19)\n   \xef\x82\xb7\t Continuous network monitoring (recommendation 22)\n8.\t The impact of these open recommendations needs to be considered in the\n    FY 2013 assessment of VA\xe2\x80\x99s security posture. Since several recommendations will\n    remain open through FY 2014, the delays implementing effective corrective actions\n    can potentially contribute to reporting an IT material weakness in this year\xe2\x80\x99s audit of\n    VA\xe2\x80\x99s Consolidated Financial Statements.\n9.\t Our independent auditors will follow up on the outstanding recommendations and\n    evaluate the adequacy of corrective actions during the FY 2013 FISMA audit.\n    However, in an effort to better oversee the implementation plan to completion in\n    FY 2014, OIG will require interim progress reports quarterly starting\n    October 1, 2013.\n\n\n\n\nLINDA A. HALLIDAY \n\n\n\n                                                                                         ii\n\x0c                                                                       CliftonLarsonAllen LLP\n                                                                       11710 Beltsville Drive, Suite 300\n                                                                       Calverton, MD 20705\n                                                                       301-931-2050 | fax 301-931-1710\n                                                                       www.cliftonlarsonallen.com\n\n\n\n\nMay 30, 2013\n\n\nThe Honorable George Opfer\nInspector General\nDepartment of Veterans Affairs\n801 I Street, Northwest\nWashington, DC 20001\n\nDear Mr. Opfer:\n\nAttached is our report on the performance audit we conducted to evaluate the Department of\nVeterans Affairs\xe2\x80\x99 (VA) compliance with the Federal Information Security Management Act of\n2002 (FISMA) for the federal fiscal year ending September 30, 2012 in accordance with\nguidelines issued by the United States Office of Management and Budget (OMB) and applicable\nNational Institute for Standards and Technology (NIST) information security guidelines.\n\nCliftonLarsonAllen LLP was contracted to perform the FISMA audit and is responsible for the\nfindings and recommendations highlighted in the attached report. We conducted this\nperformance audit in accordance with Government Auditing Standards developed by the\nGovernment Accountability Office. This is not an attestation level report as defined under the\nAmerican Institute of Certified Public Accountants standards for attestation engagements. Our\nprocedures were designed to respond to the FISMA-related questions outlined in the OMB\ntemplate for the Inspectors General and evaluate VA\xe2\x80\x99s information security program\xe2\x80\x99s\ncompliance with FISMA requirements and applicable NIST information security guidelines as\ndefined in our audit program. Based on our audit procedures, we conclude that VA continues to\nface significant challenges meeting the requirements of FISMA.\n\nWe have performed the FISMA performance audit, using procedures prepared by\nCliftonLarsonAllen LLP and approved by the Office of the Inspector General (OIG), during the\nperiod April 2012 through November 2012. Had other procedures been performed, or other\nsystems subjected to testing, different findings, results, and recommendations might have been\nprovided. The projection of any conclusions, based on our findings, to future periods is subject to\nthe risk that changes made to the information security program or controls, or the failure to make\nneeded changes to the system or controls may alter the validity of such conclusions.\n\nWe performed limited reviews of the findings, conclusions, and opinions expressed in this report\nthat were related to the financial statement audit performed by CliftonLarsonAllen LLP. The\nfinancial statement audit results have been combined with the FISMA performance audit\nfindings. We do not provide an opinion regarding the results of the financial statement audit\nresults. In addition to the findings and recommendations, our conclusions related to VA are\n\n                                                                                                           iii\n\x0ccontained within the OMB FISMA reporting template provided to the OIG in November 2012.\nThe completion of the OMB FISMA reporting template was based on management\xe2\x80\x99s assertions\nand the results of our FISMA test procedures while the OIG determined the status of the prior\nyear recommendations with the support of CliftonLarsonAllen.\n\nThis report is intended solely for those on the distribution list on Appendix F, and is not intended\nto be and should not be used by anyone other than these specified parties.\n\nSincerely,\n\n\nCLIFTONLARSONALLEN LLP\n\n\n\n\nGFF:sgd\xc2\xa0\n\n\n\n\n                                                                                                 iv\n\x0c                    Report Highlights: VA\xe2\x80\x99s FISMA Audit\n                    for FY 2012\n\nWhy We Did This Audit                           Further,    VA      has     not   remediated\n                                                approximately 4,000 outstanding system\nThe      Federal    Information    Security     security risks in its corresponding Plans of\nManagement Act (FISMA) requires agency          Action and Milestones to improve its overall\nInspectors General to annually assess the       information security posture. As a result of\neffectiveness of agency information security    the FY 2012 consolidated financial\nprograms and practices. Our FY 2012 audit       statement audit, CliftonLarsonAllen LLP\ndetermined the extent to which VA\xe2\x80\x99s             concluded a material weakness still exists in\ninformation security program complied with      VA\xe2\x80\x99s information security program.\nFISMA requirements and applicable\nNational Institute for Standards and            What We Recommend\nTechnology guidelines. We contracted with\nan      independent     accounting     firm,    We recommend the Acting Assistant\nCliftonLarsonAllen LLP, to perform this         Secretary for Information and Technology\naudit.                                          implement comprehensive measures to\n                                                mitigate security vulnerabilities affecting\nWhat We Found                                   VA\xe2\x80\x99s mission-critical systems.\n\nVA has made progress developing policies        Agency Comments\nand procedures but still faces challenges\nimplementing components of its agency-          The Acting Assistant Secretary for\nwide information security risk management       Information and Technology agreed with\nprogram to meet FISMA requirements.             our findings and recommendations and\nWhile some improvements were noted,             provided plans for corrective actions.\nFISMA audits continued to identify\nsignificant deficiencies related to access      OIG Comments\ncontrols,     configuration      management\ncontrols, continuous monitoring controls,       We will monitor implementation of the\nand service continuity practices designed to    action plans.       However, we remain\nprotect mission-critical systems. Also, prior   concerned that several of the action plans\nFISMA recommendations remain open.              are not expected to be in place until\n                                                September 2014 for both new and prior\nWeaknesses in access and configuration          recommendations.        OIG will monitor\nmanagement controls resulted from VA not        implementation through interim progress\nfully    implementing    security    control    reports until proposed actions are complete.\nstandards on all servers and network\ndevices.    VA also has not effectively\nimplemented procedures to identify and\nremediate system security vulnerabilities on\nnetwork devices, database and server                      LINDA A. HALLIDAY\nplatforms, and Web applications VA-wide.               Assistant Inspector General\n                                                       for Audits and Evaluations\n                                                                                          v\n\x0c                                                                                                         VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\n\n                                           TABLE OF CONTENTS \n\nIntroduction......................................................................................................................................1\n\xc2\xa0\nResults and Recommendations ........................................................................................................2\n\xc2\xa0\n    Finding 1\xc2\xa0             Agency-wide Risk Management Program ..........................................................2\n\xc2\xa0\n                           Recommendations ...............................................................................................4\n\xc2\xa0\n    Finding 2\xc2\xa0             Identity Management and Access Controls ........................................................6\n\xc2\xa0\n                           Recommendations ...............................................................................................7\n\xc2\xa0\n    Finding 3\xc2\xa0             Configuration Management Controls..................................................................9\n\xc2\xa0\n                           Recommendations .............................................................................................10\n\xc2\xa0\n    Finding 4\xc2\xa0             System Development/Change Management Controls ......................................11\n\xc2\xa0\n                           Recommendation...............................................................................................11\n\xc2\xa0\n    Finding 5\xc2\xa0             Contingency Planning .......................................................................................12\n\xc2\xa0\n                           Recommendations .............................................................................................12\n\xc2\xa0\n    Finding 6\xc2\xa0             Incident Response .............................................................................................14\n\xc2\xa0\n                           Recommendations .............................................................................................15\n\xc2\xa0\n    Finding 7\xc2\xa0             Continuous Monitoring .....................................................................................16\n\xc2\xa0\n                           Recommendations .............................................................................................17\n\xc2\xa0\n    Finding 8\xc2\xa0             Security capital planning...................................................................................18\n\xc2\xa0\n                           Recommendation...............................................................................................18\n\xc2\xa0\n    Finding 9\xc2\xa0             Contractor Systems Oversight...........................................................................19\n\xc2\xa0\n                           Recommendations .............................................................................................19\n\xc2\xa0\n    Finding 10\xc2\xa0            Security Awareness Training ............................................................................20\n\xc2\xa0\n                           Recommendation...............................................................................................20\n\xc2\xa0\n   Appendix A\xc2\xa0 Status of Prior-Year Recommendations ........................................................... 22\n\xc2\xa0\n   Appendix B\xc2\xa0             Background ...................................................................................................... 27\n\xc2\xa0\n   Appendix C\xc2\xa0             Scope and Methodology................................................................................... 29\n\xc2\xa0\n   Appendix D\xc2\xa0 Acting Assistant Secretary for Information and Technology Comments ........ 31\n\xc2\xa0\n   Appendix E\xc2\xa0             Office of Inspector General Contact and Staff Acknowledgements ................ 41\n\xc2\xa0\n   Appendix F\xc2\xa0             Report Distribution........................................................................................... 42\n\xc2\xa0\n\n\n\n\nVA Office of Inspector General                                                                                                                  vi\n\x0c                                                                     VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\n\n                    INTRODUCTION\nObjective           The objective of this audit was to determine the extent to which VA\xe2\x80\x99s\n                    information security program and practices comply with Federal\n                    Information Security Management Act (FISMA) requirements,\n                    Department of Homeland Security (DHS) reporting requirements, and\n                    applicable Office of Management and Budget (OMB) and National Institute\n                    for Standards and Technology (NIST) guidance. The VA Office of\n                    Inspector General (OIG) contracted with the independent accounting firm\n                    CliftonLarsonAllen LLP to perform the FY 2012 FISMA audit.\n\nOverview            Information security is a high-risk area Government-wide. Congress\n                    passed the E-Government Act of 2002 (Public Law 107-347) in an\n                    effort to strengthen Federal information security programs and practices.\n                    FISMA provides a comprehensive framework to ensure the effectiveness of\n                    security controls over information resources that support Federal\n                    operations and assets. Audit teams assessed the Department\xe2\x80\x99s information\n                    security program through inquiries, observations, and tests of selected\n                    controls supporting 81 major applications and general support systems at\n                    22 VA facilities. The teams identified specific deficiencies in the following\n                    areas.\n\n                    1. Agency-Wide Risk Management Program\n                    2. Identity Management and Access Controls\n                    3. Configuration Management Controls\n                    4. System Development/Change Management Controls\n                    5. Contingency Planning\n                    6. Incident Response\n                    7. Continuous Monitoring\n                    8. Security Capital Planning\n                    9. Contractor Systems Oversight\n                    10. Security Awareness Training\n\n                    This report provides 32 total recommendations, including four new\n                    recommendations, for improving VA\xe2\x80\x99s information security program.\n                    27 recommendations are included in the report body and five\n                    recommendations are provided in Appendix A. The Appendix addresses\n                    the status of recommendations not included in the report body and VA\xe2\x80\x99s\n                    plans for corrective action. During FY 2012, two recommendations were\n                    administratively closed because VA\xe2\x80\x99s corrective actions successfully\n                    addressed the underlying risks; a third recommendation was closed\n                    because it was superseded by a more current recommendation. These\n                    recommendations are annotated as \xe2\x80\x9cclosed\xe2\x80\x9d in Appendix A. The FY 2011\n                    report provided 31 recommendations for improvement.\n\nVA Office of Inspector General                                                                  1\n\x0c                                                                    VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\n\n                    RESULTS AND RECOMMENDATIONS\nFinding 1           Agency-wide Risk Management Program\n\n                    FISMA requires each Federal agency to develop, document, and\n                    implement an agency-wide information security risk management\n                    program. VA has made progress developing policies and procedures as\n                    part of its program. However, VA still faces challenges implementing\n                    components of its agency-wide information security risk management\n                    program to meet FISMA requirements. Consequently, FISMA audits\n                    continue to identify significant deficiencies related to access controls,\n                    configuration management controls, change management controls, and\n                    service continuity practices designed to protect mission-critical systems\n                    from unauthorized access, alteration, or destruction.\n\nProgress            In 2007, the Department issued VA Directive 6500, Information Security\nMade While          Program, and VA Handbook 6500, Information Security Program,\nChallenges\nRemain\n                    defining the high-level policies and procedures to support its agency-wide\n                    information security risk management program. In FY 2012, VA began\n                    updating VA Handbook 6500 to be consistent with revised NIST Special\n                    Publications and to supplement existing VA directives and handbooks.\n                    OMB Memorandum M-12-20, FY 2012 Reporting Instructions for the\n                    Federal Information Security Management Act and Agency Privacy\n                    Management, issued in September 2012, provides guidance for Federal\n                    agencies to follow in meeting the report requirements under FISMA.\n\n                    To address annual reporting requirements and ongoing system security\n                    weaknesses, VA launched a Continuous Readiness in Information Security\n                    Program (CRISP). The program is intended to improve access controls,\n                    configuration management, contingency planning, and the security\n                    management of a large number of information technology systems. VA also\n                    established a CRISP core team to oversee this initiative and resolve the\n                    information security material weakness related to information technology\n                    security controls, as reported in VA\xe2\x80\x99s annual audit of its consolidated\n                    financial status. As a result of the CRISP initiative, we noted improvements\n                    related to:\n\n                    \xef\x82\xb7   Training, both role-based and security awareness\xc2\xa0\n                    \xef\x82\xb7   Testing contingency plans \xc2\xa0\n                    \xef\x82\xb7   Reducing the number of outstanding Plans of Action and Milestones\n                        (POA&Ms)\xc2\xa0\n                    \xef\x82\xb7   Developing initial baseline configurations\n\n\n\n\nVA Office of Inspector General                                                                 2\n\x0c                                                                     VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\n                    \xef\x82\xb7   Reducing the number of individuals with outdated background\n                        investigations\xc2\xa0\n                    \xef\x82\xb7   Improving data center Web application security\xc2\xa0\n\n                    Because the CRISP initiative was not launched until March 2012, the process\n                    improvements were not implemented for an entire fiscal year.\n\n                    Moving forward, VA needs to ensure a proven process is in place to sustain\n                    the improvements achieved thus far. VA also needs to continue to address\n                    control deficiencies existing in other areas across all VA locations. While\n                    VA has made progress updating risk management policies and procedures,\n                    our FISMA audits identified deficiencies related to VA\xe2\x80\x99s risk management\n                    approach, POA&Ms, and system security plans, which are discussed in the\n                    following section. Each of these processes is critical for protecting the\n                    Department\xe2\x80\x99s mission-critical systems through appropriate risk mitigation\n                    strategies.\n\nRisk                VA has not fully developed and implemented components of its agency-wide\nManagement          information security risk management program to meet FISMA\nStrategy\n                    requirements. Specifically, VA has not ensured that its information security\n                    controls are effectively monitored on an ongoing basis to include\n                    documenting significant changes to the system, conducting security impact\n                    analyses for system changes, and reporting system changes to designated\n                    organizational officials. Risk Assessments were not properly updated as they\n                    included references to inaccurate system environment information. Further,\n                    some security self assessments were not performed annually in accordance\n                    with FISMA requirements.\n\n                    NIST SP 800-37, Guide for Applying the Risk Management Framework to\n                    Federal Information Systems: A Security Life Cycle Approach, states that an\n                    agency\xe2\x80\x99s risk management framework should address \xe2\x80\x9crisk from an\n                    organizational perspective with the development of a comprehensive\n                    governance structure and organization-wide risk management strategy.\xe2\x80\x9d VA\n                    began updating its VA Handbook 6500 to provide guidelines on how to\n                    comply with revised risk management requirements. Additionally, VA is\n                    implementing a risk governance structure, including a Risk Management\n                    Governance Board and strategy to monitor system security risks and\n                    implement risk mitigation controls across the enterprise. Until this effort is\n                    complete, enterprise-wide risks may not be fully identified or mitigated with\n                    appropriate risk mitigation strategies.\n\nPlans of            OMB Memorandum M-02-01, Guidance for Preparing and Submitting\nAction and          Security Plans of Action and Milestones, defines management and reporting\nMilestones\n                    requirements for agency POA&Ms, including deficiency descriptions,\n                    remediation actions, required resources, and responsible parties. According\n                    to data available from VA\xe2\x80\x99s central reporting database, VA has reduced the\n                    number of open POA&Ms from approximately 15,000 in FY 2011 to\n\nVA Office of Inspector General                                                                   3\n\x0c                                                                     VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\n                    4,000 in FY 2012. POA&Ms identify which actions must be taken to\n                    remediate system security risks and improve VA\xe2\x80\x99s information security\n                    posture. POA&M reductions partially resulted from VA leveraging FISMA\n                    stakeholder teams to ensure that corrective actions address previous FISMA\n                    report recommendations.\n\n                    VA has made progress in updating and closing POA&Ms in a timelier\n                    manner across VA sites and systems. Despite these improvements, audit\n                    teams continue to identify deficiencies related to reporting, managing, and\n                    closing POA&Ms. For example, audit teams identified POA&Ms that\n                    lacked sufficient documentation to justify closure, action items that missed\n                    major milestones, and items that were not updated to accurately reflect their\n                    current status. In addition, many POA&Ms were closed based upon\n                    Executive Decision Memoranda or Risk-Based Decision Memoranda;\n                    however, system security risks still remain as the underlying weaknesses\n                    have not been fully remediated.\n\n                    POA&M deficiencies resulted from a lack of accountability for closing\n                    items and a lack of controls to verify supporting documentation had been\n                    input to the central database. Furthermore, unclear responsibility for\n                    addressing POA&M records at the \xe2\x80\x9clocal\xe2\x80\x9d level continues to adversely affect\n                    remediation efforts across the enterprise. By failing to fully remediate\n                    significant system security risks in the near term, VA management cannot\n                    ensure that information security controls will protect VA systems\n                    throughout their life cycles. Further, without sufficient documentation in\n                    the central database to justify closure of POA&Ms, VA cannot ensure that\n                    corresponding security risks have been fully mitigated.\n\nSystem              Audit teams continue to identify system security plans with inaccurate\nSecurity Plans      information regarding operational environments including system\n                    interconnections and compensating information security controls. VA\n                    Handbook 6500, Appendix D provides guidelines on maintaining and\n                    updating system security plans for major applications and general support\n                    systems. Because of deficiencies in this area, system owners may not fully\n                    identify relative boundaries, interdependencies, compensating information\n                    security controls, and security risks affecting mission-critical systems.\n\n                    Recommendations\n\n                    1.\t   We recommend the Acting Assistant Secretary for Information and\n                          Technology fully develop and implement an agency-wide risk\n                          management governance structure, along with mechanisms to\n                          identify, monitor, and manage risks across the enterprise. (This is a\n                          repeat recommendation from last year.)\n                    2.\t   We recommend the Acting Assistant Secretary for Information and\n                          Technology implement mechanisms to ensure sufficient supporting\n\nVA Office of Inspector General                                                                  4\n\x0c                                                                   VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\n                          documentation is captured in the central database to justify closure\n                          of Plans of Action and Milestones. (This is a repeat recommendation\n                          from last year.)\n                    3.\t   We recommend the Acting Assistant Secretary for Information and\n                          Technology define and implement clear roles and responsibilities\n                          for developing, maintaining, completing, and reporting Plans of\n                          Action and Milestones. (This is a repeat recommendation from last\n                          year.)\n                    4.\t   We recommend the Acting Assistant Secretary for Information and\n                          Technology implement mechanisms to ensure Plans of Action and\n                          Milestones are updated to accurately reflect current status\n                          information. (This is a repeat recommendation from last year.)\n                    5.\t   We recommend the Acting Assistant Secretary for Information and\n                          Technology develop mechanisms to ensure system security plans\n                          reflect current operational environments, including accurate system\n                          interconnection and ownership information. (This is a repeat\n                          recommendation from last year.)\n                    6.\t   We recommend the Acting Assistant Secretary for Information and\n                          Technology implement improved processes for updating key\n                          security documents such as risk assessments, security impact\n                          analyses, and security self assessments on at least an annual basis\n                          and ensure all required information accurately reflects the current\n                          environment and new risks in accordance with Federal standards.\n                          (This is a new recommendation.)\n\n\n\n\nVA Office of Inspector General                                                                5\n\x0c                                                                    VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\nFinding 2           Identity Management and Access Controls\n\n                    Audit teams identified significant deficiencies in VA\xe2\x80\x99s identity\n                    management and access controls. VA Handbook 6500, Appendixes D and F,\n                    provides comprehensive guidelines for authenticating users and protecting\n                    VA\xe2\x80\x99s critical systems from unauthorized access, alteration, or destruction.\n                    Our FISMA audit identified significant information security control\n                    deficiencies in the following areas.\n\n                    \xef\x82\xb7   Password Management\xc2\xa0\n                    \xef\x82\xb7   Access Management\xc2\xa0\n                    \xef\x82\xb7   Audit Trails\xc2\xa0\n                    \xef\x82\xb7   Remote Access \xc2\xa0\n\nPassword            While VA Handbook 6500, Appendix F establishes password management\nManagement          standards for authenticating VA system users, our audit teams\n                    continued to identify multiple password management vulnerabilities. For\n                    example, the teams found a significant number of weak passwords on major\n                    databases, applications, and networking devices at most VA facilities.\n                    Additionally, password parameter settings for network domains, databases,\n                    key financial applications, and servers were not consistently configured to\n                    enforce VA\xe2\x80\x99s password policy standards.\n\n                    While some improvements have been made, we continue to identify security\n                    weaknesses that were not remediated from prior years. Many of these\n                    weaknesses can be attributed to VA\xe2\x80\x99s ineffective enforcement of its\n                    agency-wide information security risk management program and\n                    ineffective communication from senior management to the individual field\n                    offices. The use of weak passwords is a well-known security vulnerability\n                    that allows malicious users to easily gain unauthorized access to\n                    mission-critical systems.\n\nAccess              VA Handbook 6500, Appendix D details access management policies and\nManagement          procedures for VA\xe2\x80\x99s information systems. However, reviews of permission\n                    settings identified numerous instances of unnecessary system privileges,\n                    unauthorized user accounts, accounts without formal access authorizations,\n                    and active accounts for terminated employees. User access requests were not\n                    consistently reviewed to eliminate conflicting roles and enforce segregation\n                    of duties principles. Additionally, we noted inconsistent monitoring of\n                    access in production environments for individuals with excessive application\n                    privileges within major applications. This occurred because VA has not\n                    implemented effective reviews to eliminate such instances of unauthorized\n                    system access and excessive permissions. Periodic reviews are critical to\n                    restrict legitimate users to specific systems, programs, and data and to\n                    prevent unauthorized access by both internal and external users.\n\nVA Office of Inspector General                                                                 6\n\x0c                                                                     VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\n                    Unauthorized access to critical systems can leave sensitive data vulnerable to\n                    inappropriate modification or destruction.\n\nAudit Trails        VA did not consistently review security violations and audit logs supporting\n                    mission-critical systems. VA Handbook 6500, Appendix D provides\n                    high-level policy and procedures for collection and review of system audit\n                    logs. However, most VA facilities did not have audit policy settings\n                    configured on major systems and had not implemented automated\n                    mechanisms needed to periodically monitor systems audit logs. Such audit\n                    trail reviews are critical to facilitate security-related activities, such as\n                    determining individual accountability, reconstructing security events,\n                    detecting intruders, and identifying system performance issues.\n\nRemote              VA lacks a consistent process for managing remote access to VA\nAccess              networks. In addition, multi-factor authentication for remote access\n                    has not been implemented across the agency. VA Handbook 6500,\n                    Appendix D establishes high-level policy and procedures for\n                    managing remote connections. VA personnel can remotely log onto\n                    VA networks using several virtual private network applications for\n                    encrypted remote access. However, one specific application does not\n                    ensure end-user computers are updated with current system security patches\n                    and antivirus signatures before users remotely connect to VA\n                    networks. Although the remote connections are encrypted, end-user\n                    computers could be infected with malicious viruses or worms, which\n                    can easily spread to interconnected systems. VA is migrating most remote\n                    users to virtual private network solutions that will better protect end-user\n                    computers through automated system updates. Moving forward, VA\n                    needs to fully implement multi-factor authentication for remote access\n                    and ensure that all remote users\xe2\x80\x99 computers are adequately protected before\n                    connecting to VA networks.\n\n                    Recommendations\n\n                    7.\t   We recommend the Acting Assistant Secretary for Information and\n                          Technology implement mechanisms to enforce VA password\n                          policies and standards on all operating systems, databases,\n                          applications, and network devices. (This is a repeat recommendation\n                          from last year.)\n                    8.\t   We recommend the Acting Assistant Secretary for Information and\n                          Technology implement periodic access reviews to minimize access\n                          by system users with incompatible roles, permissions in excess of\n                          required functional responsibilities, and unauthorized accounts.\n                          (This is a repeat recommendation from last year.)\n\n                    9.\t   We recommend the Acting Assistant Secretary for Information and\n                          Technology enable system audit logs and conduct centralized\n\nVA Office of Inspector General                                                                   7\n\x0c                                                                    VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\n                          reviews of security violations on mission-critical systems. (This is a\n                          repeat recommendation from last year.)\n\n                    10.\t We recommend the Acting Assistant Secretary for Information and\n                         Technology implement mechanisms to ensure all remote access\n                         computers have updated security patches and antivirus definitions\n                         prior to connecting to VA information systems. (This is a repeat\n                         recommendation from last year.)\n\n                    11.\t We recommend the Acting Assistant Secretary for Information and\n                         Technology implement two-factor authentication for remote access\n                         throughout the agency. (This is a new recommendation.)\n\n\n\n\nVA Office of Inspector General                                                                 8\n\x0c                                                                       VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\nFinding 3           Configuration Management Controls\n\n                    Audit teams continue to identify significant deficiencies in configuration\n                    management controls designed to ensure VA\xe2\x80\x99s critical systems have\n                    appropriate security baselines and up-to-date vulnerability patches\n                    implemented. VA Handbook 6500, Appendix D provides high-level policy\n                    guidelines regarding mandatory configuration settings for information\n                    technology hardware, software, and firmware. However, testing identified\n                    unsecure Web application servers, excessive permissions on database\n                    platforms, a significant number of outdated and vulnerable third-party\n                    applications and operating system software, and a lack of common platform\n                    security standards across the enterprise.\n\nUnsecure Web        Assessments of Web-based applications identified several instances of VA\nApplications        data facilities hosting unsecure Web-based services that could allow\n                    malicious users to gain unauthorized access to VA information systems.\n                    Additionally, an attacker could potentially alter sensitive data or covertly run\n                    unauthorized programs on Web applications. NIST Special Publication\n                    800-44, Version 2, Guidelines in Securing Public Web Servers, recommends\n                    \xe2\x80\x9cOrganizations should implement appropriate security management practices\n                    and controls when maintaining and operating a secure Web Server.\xe2\x80\x9d Despite\n                    the guidelines, VA has not implemented effective controls to identify and\n                    remediate security weaknesses on its Web applications. VA has mitigated\n                    some information system security risks from the Internet through the use of\n                    network filtering appliances. However, VA\xe2\x80\x99s internal network remains\n                    susceptible to attack from malicious users who could exploit vulnerabilities\n                    and gain unauthorized access to VA information systems.\n\nUnsecure            Database vulnerability assessments continue to identify a significant number\nDatabase            of unsecure configuration settings that could allow any database user to gain\nApplications\n                    unauthorized access to critical system information. NIST Special Publication\n                    800-64, Revision 1, Security Considerations in the Information System\n                    Development Life Cycle, states that configuration management and control\n                    procedures are critical to establishing an initial baseline of hardware,\n                    software, and firmware components for the information system. VA has not\n                    implemented effective controls to identify and remediate security weaknesses\n                    on databases hosting mission-critical applications. Unsecure database\n                    configuration settings can allow any database user to gain unauthorized\n                    access to critical systems information.\n\nApplication         Network vulnerability assessments again identified a significant number of\nand System          outdated operating systems and vulnerable third-party applications that could\nSoftware            allow unauthorized access to mission-critical systems and data. NIST\nVulnerabilities\n                    Special Publication 800-40, Version 2, Creating a Patch and Vulnerability\n                    Management Program, states an agency\xe2\x80\x99s patch and vulnerability\n                    management program should be integrated with configuration management\n\n\nVA Office of Inspector General                                                                    9\n\x0c                                                                     VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\n                    to ensure efficiency. VA has not implemented effective controls to identify\n                    and remediate security weaknesses associated with outdated third-party\n                    applications and operating system software.             Deficiencies in the\n                    Department\xe2\x80\x99s patch and vulnerability management program could allow\n                    malicious users unauthorized access to mission-critical systems and data. By\n                    implementing a robust patch and vulnerability management program, VA\n                    could effectively remediate vulnerabilities identified in operating systems,\n                    databases, applications, and other network devices.\n\nBaseline            VA was still working to develop guidelines to define agency-wide security\nSecurity            configuration baselines for its major information system components.\nConfigurations\n                    FISMA Section 3544 requires each agency to establish minimally acceptable\n                    system configuration requirements and ensure compliance. However, we\n                    noted that common platform security standards and Federal Desktop Core\n                    Configurations were not consistently implemented on all VA systems. For\n                    example, testing at VA facilities revealed varying levels of compliance (88 to\n                    96 percent) with Federal Desktop Core Configurations standards for end-user\n                    systems. Testing also identified numerous network devices not configured to\n                    a common security configuration standard, resulting in default network\n                    services, excessive permissions, weak administrator passwords, and outdated\n                    versions of the network operating system. By not implementing consistent\n                    agency-wide configuration management standards for major applications and\n                    general support systems, VA is placing critical systems at unnecessary risk of\n                    unauthorized access, alteration, or destruction.\n\n                    Recommendations\n\n                    12.\t We recommend the Acting Assistant Secretary for Information and\n                         Technology implement effective automated mechanisms to\n                         continuously identify and remediate security deficiencies on VA\xe2\x80\x99s\n                         network infrastructure, database platforms, and Web application\n                         servers. (This is a modified repeat recommendation from last year.)\n                    13.\t We recommend the Acting Assistant Secretary for Information and\n                         Technology implement a patch and vulnerability management program\n                         to address security deficiencies identified during our assessments of\n                         VA\xe2\x80\x99s Web applications, database platforms, network infrastructure, and\n                         work stations. (This is a modified repeat recommendation from last\n                         year.)\n\n                    14.\t We recommend the Acting Assistant Secretary for Information and\n                         Technology implement standard security configuration baselines for all\n                         VA operating systems, databases, applications, and network devices.\n                         (This is a repeat recommendation from last year.)\n\n\n\n\nVA Office of Inspector General                                                                 10\n\x0c                                                                     VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\nFinding 4           System Development/Change Management Controls\n\n                    VA has not fully implemented procedures to enforce standardized system\n                    development and change management controls for its mission-critical\n                    systems. FISMA Section 3544 requires establishing policies and procedures\n                    to ensure information security is addressed throughout the life cycle of each\n                    agency information system. VA Handbook 6500.5, Incorporating Security\n                    and Privacy into the System Development Life Cycle, also discusses\n                    integrating information security controls and privacy throughout the life\n                    cycle of each system.\n\n                    Our audit teams continued to identify software changes to mission critical\n                    systems and infrastructure network devices that did not follow standardized\n                    software change control procedures. Further, numerous test plans, test\n                    results, and approvals were either incomplete or missing. By not enforcing a\n                    standardized change control methodology, system development projects may\n                    be inconsistently developed, tested, and migrated into production, placing\n                    VA systems at risk of unauthorized or unintended software modifications.\n\n                    Recommendation\n\n                    15.\t We recommend the Acting Assistant Secretary       for Information and\n                         Technology implement procedures to enforce a      system development\n                         and change control framework that integrates      information security\n                         throughout the life cycle of each system.          (This is a repeat\n                         recommendation from last year.)\n\n\n\n\nVA Office of Inspector General                                                                11\n\x0c                                                                       VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\nFinding 5           Contingency Planning\n\n                    Overall, we noted an improvement in contingency plan testing since our FY\n                    2011 audit. However, VA contingency plans still were not fully documented\n                    and test results were not consistently communicated to senior management.\n                    While VA Handbook 6500, Appendix D establishes high-level policy and\n                    procedures for contingency planning and plan testing, our assessment\n                    identified the following deficiencies related to contingency planning.\n\n                    \xef\x82\xb7\t Many Information System Contingency Plans had not been updated to\n                       reflect lessons learned from contingency and disaster recovery tests,\n                       provide detailed recovery procedures for all system priority components,\n                       or reflect current operating conditions.\n                    \xef\x82\xb7\t Alternate processing site agreements between the Regional Office and\n                       Information Technology Centers were not in place to ensure all parties\n                       are aware of respective responsibilities in the event of a disaster.\n                    \xef\x82\xb7\t Backup tapes for mission critical systems were not encrypted prior to\n                       being sent offsite for storage.\n                    Incomplete documentation of test plans, test results, and alternate processing\n                    site agreements prevent timely restoration of services in the event of system\n                    disruption or disaster. Inadequate testing may lead to critical system failures\n                    during the execution of system contingency plans.                     Inadequate\n                    communication of test results may prevent lessons learned from being\n                    recognized and adopted. Moreover, by not encrypting backup tapes, VA is at\n                    risk of potential data theft or unauthorized disclosure of sensitive data.\n\n                    In October 2011, VA implemented the Office of Information and\n                    Technology Annual Security Calendar requiring all Information System\n                    Contingency and Disaster Recovery Plans to be updated on an annual basis.\n\n                    Recommendations\n\n                    16.\t We recommend the Acting Assistant Secretary for Information and\n                         Technology implement processes to ensure information system\n                         contingency plans are updated with the required information and\n                         lessons learned are communicated to senior management. (This is a\n                         modified repeat recommendation from last year.)\n\n                    17.\t We recommend the Acting Assistant Secretary for Information and\n                         Technology develop and implement a process for ensuring the\n                         encryption of backup data prior to transferring the data offsite.\n                         (This is a new recommendation.)\n\n\n\n\nVA Office of Inspector General                                                                   12\n\x0c                                                                  VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\n                    18.\t We recommend the Acting Assistant Secretary for Information and\n                         Technology ensure that agreements for alternate processing sites\n                         have been established that define the roles and responsibilities for\n                         alternate locations in the event of a disaster. (This is a new\n                         recommendation.)\n\n\n\n\nVA Office of Inspector General                                                             13\n\x0c                                                                       VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\nFinding 6           Incident Response\n\n                    VA is unable to monitor all external interconnections and internal network\n                    segments for malicious traffic or unauthorized systems access attempts.\n                    FISMA Section 3544 requires each agency to develop and implement an\n                    agency-wide information security program containing specific procedures for\n                    detecting, reporting, and responding to computer security incidents. Audit\n                    teams identified deficiencies with VA\xe2\x80\x99s security incident management and\n                    external network monitoring processes.\n\n                    VA performs significant monitoring of its known Internet gateways to\n                    identify and respond to computer security events and potential network\n                    intrusions. This monitoring includes some event correlation, which is the\n                    process of tying multiple entries together to identify larger trends, intrusions,\n                    or intrusion attempts. However, VA has not fully implemented security\n                    information and event management technologies needed for effective event\n                    correlation analysis. VA also has no automated 24-hour security alert\n                    capability for all platforms and databases hosted at its Information\n                    Technology Centers.\n\n                    To improve incident management, VA\xe2\x80\x99s Network Security Operations\n                    Center continues to implement its Trusted Internet Connection initiative to\n                    identify all system interconnections and consolidate them into four VA\n                    gateways. Although progress has been made in cataloging the many\n                    interconnections for monitoring purposes, unknown and unmonitored\n                    connections still exist. In addition, our audit teams continued to identify\n                    several system interconnections without valid Interconnection Security\n                    Agreements and Memoranda of Understanding to govern them. Ineffective\n                    monitoring of external network interconnections could prevent VA from\n                    detecting and responding to an intrusion attempt in a timely manner.\n\n                    Our audits continue to identify numerous high-risk computer security\n                    incidents, including malware infections that were not remediated in a timely\n                    manner. Specifically, we noted a high number of malware security incident\n                    tickets that took more than 30 days to remediate and close. While VA\xe2\x80\x99s\n                    performance has improved from the prior year, the process for tracking\n                    higher risk tickets remained inefficient, and some computer security\n                    incidents were not remediated in a timely manner. By contrast, NIST Special\n                    Publication 800-61, Computer Security Incident Handling Guide, provides\n                    examples of computer security incident response times ranging from\n                    15 minutes to 4 hours, based on criticality of the incidents. The guide also\n                    recommends that organizations develop their own incident response times\n                    based on organizational needs and the criticality of resources affected by the\n                    security incidents.\n\n\n\n\nVA Office of Inspector General                                                                    14\n\x0c                                                                     VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\n                    Recommendations\n\n                    19.\t We recommend the Acting Assistant Secretary for Information and\n                         Technology fully implement an automated 24-hour security event and\n                         incident correlation solution to monitor security for all systems\n                         interconnections, database security events, and mission-critical\n                         platforms supporting VA programs and operations. (This is a modified\n                         repeat recommendation from last year.)\n\n                    20.\t We recommend the Acting Assistant Secretary for Information and\n                         Technology identify all external network interconnections and ensure\n                         appropriate Interconnection Security Agreements and Memoranda of\n                         Understanding are in place to govern them. (This is a repeat\n                         recommendation from last year.)\n\n                    21.\t We recommend the Acting Assistant Secretary for Information and\n                         Technology implement more effective agency-wide incident response\n                         procedures to ensure timely resolution of computer security incidents in\n                         accordance with VA set standards. (This is a modified repeat\n                         recommendation.)\n\n\n\n\nVA Office of Inspector General                                                                15\n\x0c                                                                       VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\nFinding 7           Continuous Monitoring\n\n                    VA lacks an effective continuous monitoring process to identify its hardware\n                    and software inventory and perform automated monitoring for unauthorized\n                    software and hardware devices. NIST Special Publication 800-53, Revision\n                    3, Recommended Security Controls for Federal Information Systems and\n                    Organizations, outlines the importance of deploying automated mechanisms\n                    to detect unauthorized components and configurations within agency\n                    networks. Because of inadequate VA monitoring procedures, our technical\n                    testing continued to identify significant deficiencies with configuration\n                    management controls designed to protect mission-critical systems from\n                    unauthorized access, alteration, or destruction. For instance, our testing\n                    identified unsecure Web application servers, excessive permissions on\n                    database platforms, a significant number of outdated and vulnerable third-\n                    party applications and operating system software, and inconsistent platform\n                    security standards across the enterprise.\n\n                    To better meet continuous monitoring requirements, VA\xe2\x80\x99s Information\n                    Security Continuous Monitoring Concept of Operations established a\n                    centralized, enterprise information technology framework that supports\n                    operational security demands for protection of critical information. VA\xe2\x80\x99s\n                    Information Security Continuous Monitoring process is being developed by\n                    the Office of Information and Technology\xe2\x80\x99s Office of Cyber Security. This\n                    framework is based on guidance from Continuous Monitoring Workgroup\n                    activities sponsored by the Department of Homeland Security and the\n                    Department of State. The goal of Information Security Continuous\n                    Monitoring is to examine the enterprise to develop a real-time analysis of\n                    actionable risks that may adversely impact mission-critical systems.\n\n                    VA has improved systems and data security control protections by\n                    implementing technological solutions, such as secure remote access,\n                    application filtering, and portable storage device encryption. Further, VA is\n                    deploying various software and configuration monitoring tools to VA\n                    facilities as part of its \xe2\x80\x9cVisibility to Server\xe2\x80\x9d and \xe2\x80\x9cVisibility to Desktop\xe2\x80\x9d\n                    initiatives. However, VA has not fully implemented the tools necessary to\n                    inventory the software components supporting critical programs and\n                    operations. Incomplete inventories of critical software components can\n                    hinder patch management processes and restoration of critical services in the\n                    event of a system disruption or disaster. Additionally, our testing reveals that\n                    VA facilities have not made effective use of these tools to actively monitor\n                    their networks for unauthorized software, hardware devices, and system\n                    configurations.\n\n\n\n\nVA Office of Inspector General                                                                   16\n\x0c                                                                   VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\n                    Recommendations\n\n                    22.\t We recommend the Acting Assistant Secretary for Information and\n                         Technology implement effective continuous monitoring processes to\n                         identify and prevent the use of unauthorized application software,\n                         hardware (including personal storage devices), and system\n                         configurations on its networks. (This is a repeat recommendation from\n                         last year.)\n                    23.\t We recommend the Acting Assistant Secretary for Information and\n                         Technology develop a comprehensive software inventory process to\n                         identify major and minor software applications used to support VA\n                         programs and operations. (This is a repeat recommendation from last\n                         year.)\n\n\n\n\nVA Office of Inspector General                                                              17\n\x0c                                                                     VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\nFinding 8           Security capital planning\n\n                    VA has not implemented processes to fully account for security-related\n                    costs within its Capital Planning and Investment Control budget process.\n                    As a result, the audit team was unable to trace Plans of Action and\n                    Milestones (POA&Ms) remediation costs to corresponding Exhibit 300s\n                    for certain mission-critical systems. NIST Special Publication 800-65,\n                    Integrating IT Security into the Capital Planning and Investment Control\n                    Process, states \xe2\x80\x9cthe POA&M process provides a direct link to the capital\n                    planning process.\xe2\x80\x9d On October 17, 2001, OMB issued Memorandum\n                    M-02-01, Guidance for Preparing and Submitting Security Plans of Action\n                    and Milestones, stating \xe2\x80\x9cfor each POA&M that relates to a project\n                    (including systems) for which a capital asset plan and justification\n                    (Exhibit 300) was submitted or was a part of the Exhibit 53, the unique\n                    project identifier must be reflected on the POA&M.\xe2\x80\x9d\n\n                    In line with this Federal guidance, VA policy requires that security be\n                    included within the capital planning process. However, VA specific\n                    guidance for integrating security into the budgeting process does not exist.\n                    Consequently, VA lacks procedures to ensure traceability of POA&M\n                    remediation costs to Exhibit 300s. For the future, formalized guidance is\n                    needed to ensure security-related needs are consistently evaluated and\n                    integrated into the capital planning budget process in accordance with set\n                    standards. Without specific guidance, VA cannot ensure that information\n                    security is integrated throughout the system life-cycle and adequate\n                    funding is budgeted to meet information security requirements.\n\n                    Recommendation\n\n                    24.\t We recommend the Acting Assistant Secretary for Information and\n                         Technology develop procedures to integrate information security costs\n                         into the capital planning process while ensuring traceability of Plans of\n                         Action and Milestones remediation costs to appropriate capital\n                         planning budget documents. (This is a repeat recommendation from\n                         last year.)\n\n\n\n\nVA Office of Inspector General                                                                 18\n\x0c                                                                  VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\nFinding 9           Contractor Systems Oversight\n\n                    In FY 2012, VA did not fully implement contractor oversight procedures\n                    as required by FISMA. According to FISMA Section 3544, an agency\n                    should ensure adequate information security for systems that support its\n                    operations, including those provided by another agency, contractor, or\n                    other source. In addition, VA Handbook 6500.6, Contract Security,\n                    provides detailed guidance on contractor systems oversight and\n                    establishment of security requirements for all VA contracts involving\n                    sensitive VA information.       Despite these requirements, our audit\n                    disclosed several deficiencies in VA\xe2\x80\x99s contractor oversight activities in\n                    FY 2012. Specifically:\n\n                    \xef\x82\xb7\t VA did not provide \xe2\x80\x9cAuthorizations to Operate\xe2\x80\x9d for selected\n                       contractor-owned and operated systems.\n                    \xef\x82\xb7\t VA did not provide evidence that contractor system security controls\n                       were appropriate.\n                    \xef\x82\xb7\t VA did not provide an annual inventory of contractor systems,\n                       including system interfaces and interconnection agreements.\n\n                    Without implementing effective oversight mechanisms, VA cannot\n                    ensure that contractor security controls adequately protect sensitive\n                    systems and data in accordance with its information security\n                    requirements.\n\n                    Recommendations\n\n                    25.\t We recommend the Acting Assistant Secretary for Information and\n                         Technology implement procedures for overseeing contractor-\n                         managed systems and ensuring information security controls\n                         adequately protect VA sensitive systems and data. (This is a repeat\n                         recommendation from last year.)\n                    26.\t We recommend the Acting Assistant Secretary for Information and\n                         Technology implement mechanisms for updating the Federal\n                         Information Security Management Act systems inventory, including\n                         interfaces with contractor-managed systems, and annually review\n                         the systems inventory for accuracy.         (This is a repeat\n                         recommendation from last year.)\n\n\n\n\nVA Office of Inspector General                                                             19\n\x0c                                                                  VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\nFinding 10          Security Awareness Training\n\n                    We noted improvements as part of the CRISP initiative in providing\n                    users with required role-based and security awareness training.\n                    However, VA has not fully implemented automated processes to track\n                    security awareness training for residents, volunteers, and contractors at\n                    all VA facilities. As a result, our testing identified personnel who had\n                    not completed VA\xe2\x80\x99s security awareness training at some VA facilities.\n                    VA Handbook 6500, Appendix D establishes high-level policy and\n                    procedures for the Department\xe2\x80\x99s security awareness training program,\n                    requiring all users of sensitive information to annually complete VA\xe2\x80\x99s\n                    security awareness training.\n\n                    VA uses the Talent Management System, an online training system, to\n                    provide user access to a number of online training resources and track\n                    required security awareness and other training for VA employees and\n                    contractors. However, VA relies on manual processes to track fulfillment\n                    of training requirements by residents and volunteers, as automated\n                    tracking mechanisms have not been fully implemented. Without\n                    automated tracking to support centralized monitoring of user training,\n                    management cannot ensure that these personnel complete the annual\n                    security awareness training requirements. Computer security awareness\n                    training is essential to help employees and contractors understand their\n                    information security and privacy responsibilities.\n\n                    Recommendation\n\n                    27.\t We recommend the Acting Assistant Secretary for Information and\n                         Technology implement mechanisms to ensure all users with VA\n                         network access participate in and complete required VA-sponsored\n                         security awareness training.       (This is a modified repeat\n                         recommendation from last year.)\n\n\n\n\nVA Office of Inspector General                                                             20\n\x0c                                                                  VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\nSummary of           The Department concurred with all findings and recommendations and\nResponse\n                     prepared a response, which is presented in Appendix D. The Acting\nfrom the\nActing               Assistant Secretary for Information and Technology stated that VA treats\nAssistant            the protection of Veteran data very seriously. Accordingly, VA has\nSecretary for        embarked on a cultural transformation with implementation of the\nInformation          Continuous Readiness in Information Security Program (CRISP). The\nTechnology\n                     Acting Assistant Secretary stated that CRISP is a new operating model\n                     for protecting Veteran private and sensitive information. The program\n                     embodies an integrated approach to protecting sensitive information from\n                     inappropriate exposure or loss. Management\xe2\x80\x99s comments and corrective\n                     action plans are generally responsive to the recommendations.\n                     Recommendations will not close until relevant information security\n                     policies/procedures are finalized and information security control\n                     deficiencies are fully remediated. We will continue to evaluate VA\xe2\x80\x99s\n                     progress during our audit of the Department\xe2\x80\x99s information security\n                     program in FY 2013.\n\n\n\n\n VA Office of Inspector General                                                            21\n\x0c                                                                                VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\nAppendix A           Status of Prior-Year Recommendations\n\n                     Appendix A addresses the status of outstanding recommendations not\n                     included in the main report and VA\xe2\x80\x99s plans for corrective action. As\n                     noted in the table below, some recommendations remain in progress.\n                     During FY 2012, two recommendations were administratively closed\n                     because VA\xe2\x80\x99s corrective actions successfully addressed the underlying\n                     risks; one recommendation was closed because it was superseded by a\n                     more current recommendation. The corrective actions outlined below are\n                     based on management assertions and results of our audit testing.\n\n                           Table. Status of Prior Year Recommendations\n                                                             Status\n                                                                           Estimated\n Number                Recommendation                    (In Progress or                 Corrective Actions\n                                                                           Completion\n                                                             Closed)\nFY 2011\xe2\x80\x9302    We recommend the Assistant                Closed             Not          No exceptions were\n              Secretary for Information and                                Applicable   identified during\n              Technology dedicate resources to                                          FY 2012 FISMA\n              remediate the large number of                                             testing.\n              unresolved Plans of Action and\n              Milestones in the near term while\n              concurrently focusing on addressing\n              high-risk system security\n              deficiencies.\n\nFY 2011\xe2\x80\x9322    We recommend the Assistant                Closed             Not          No exceptions were\n              Secretary for Information and                                Applicable   identified during\n              Technology identify and ensure                                            FY 2012 FISMA\n              personnel with specialized security                                       testing.\n              responsibilities fulfill annual\n              specialized computer security\n              training requirements.\n\n\nFY 2010\xe2\x80\x9321    We recommend the Assistant                In Progress        September    VA is establishing a\n              Secretary for Information and                                2013         Risk Management\n              Technology develop mechanisms to                                          Governance Board,\n              ensure risk assessments accurately                                        which will implement\n              reflect the current control                                               uniform risk\n              environment, compensating controls,                                       assessment procedures\n              and the characteristics of the relevant                                   throughout VA.\n              VA facilities.\n\n\n\n\nVA Office of Inspector General                                                                               22\n\x0c                                                                                 VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\n\n                           Table. Status of Prior Year Recommendations\n                                                              Status\n                                                                            Estimated\n Number                 Recommendation                    (In Progress or                 Corrective Actions\n                                                                            Completion\n                                                              Closed)\nFY 2006\xe2\x80\x9303    We recommend the Assistant                 In Progress        To Be        VA Directive and\n              Secretary for Information and                                 Determined   Handbook 0710,\n              Technology review and update all                                           Personnel Suitability\n              applicable position descriptions to                                        and Security Program\n              better describe sensitivity ratings and                                    documents have been\n              better document employee personnel                                         updated.\n              records and contractor files,\n              including \xe2\x80\x9cRules of Behavior\xe2\x80\x9d                                              VA developed action\n              instructions, annual privacy and                                           items (March 2012) to\n              Health Insurance Portability and                                           better coordinate\n              Accountability Act of 1996 training                                        reviews of existing\n              certifications, and position sensitivity                                   position descriptions,\n              level designations.                                                        position risk and\n                                                                                         sensitivity\n                                                                                         determinations, and\n                                                                                         current levels of\n                                                                                         employee background\n                                                                                         investigations.\n\n                                                                                         This process will help\n                                                                                         ensure consistent\n                                                                                         application of VA\n                                                                                         Directive 0710,\n                                                                                         Personnel Suitability\n                                                                                         and Security Program.\n\n\n\n\nVA Office of Inspector General                                                                                23\n\x0c                                                                             VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\n\n                         Table. Status of Prior Year Recommendations\n                                                          Status\n                                                                        Estimated\n Number                Recommendation                 (In Progress or                 Corrective Actions\n                                                                        Completion\n                                                          Closed)\nFY 2006\xe2\x80\x9304    We recommend the Assistant             In Progress        To Be        VA established the\n              Secretary for Information and                             Determined   Security Investigation\n              Technology ensure appropriate levels                                   Center to ensure\n              of background investigations be                                        background\n              completed for all applicable VA                                        investigations are\n              employees and contractors in a                                         conducted.\n              timely manner, implement processes\n              to monitor and ensure timely                                           The Office of\n              reinvestigations on all applicable                                     Operations, Security,\n              employees and contractors, and                                         and Preparedness is\n              monitor the status of the requested                                    coordinating actions to\n              investigations.                                                        improve procedures for\n                                                                                     ensuring background\n                                                                                     investigations and\n                                                                                     reinvestigations are\n                                                                                     completed for all\n                                                                                     applicable VA\n                                                                                     employees and\n                                                                                     contractors in a timely\n                                                                                     manner.\n\n                                                                                     Exceptions related to\n                                                                                     timely background\n                                                                                     investigations\n                                                                                     continued to be\n                                                                                     identified during\n                                                                                     FY 2012 FISMA\n                                                                                     testing.\n\n\n\n\nVA Office of Inspector General                                                                               24\n\x0c                                                                               VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\n\n                          Table. Status of Prior Year Recommendations\n                                                            Status\n                                                                          Estimated\n Number                Recommendation                   (In Progress or                 Corrective Actions\n                                                                          Completion\n                                                            Closed)\nFY 2006\xe2\x80\x9308    We recommend the Assistant               In Progress        To Be        VA developed\n              Secretary for Information and                               Determined   Directive 6512, Secure\n              Technology reduce wireless security                                      Wireless Technology\n              vulnerabilities by ensuring sites have                                   and Wireless Security,\n              an effective and up-to-date                                              to supplement VA\n              methodology to protect against the                                       Handbook 6500. The\n              interception of wireless signals and                                     Directive provides\n              unauthorized access to the network                                       guidelines for\n              and ensure the wireless network is                                       protecting VA wireless\n              segmented and protected from the                                         networks from signal\n              wired network.                                                           interception, enhancing\n                                                                                       network security, and\n                                                                                       segmenting VA\xe2\x80\x99s\n                                                                                       wireless network from\n                                                                                       the wired network.\n\n                                                                                       VA has begun\n                                                                                       replacing the legacy\n                                                                                       wireless networks with\n                                                                                       more robust and secure\n                                                                                       wireless networks,\n                                                                                       defining strict\n                                                                                       configuration\n                                                                                       guidelines and\n                                                                                       implementation plans.\n\n                                                                                       VA has established the\n                                                                                       National Wireless\n                                                                                       Infrastructure Team to\n                                                                                       ensure all authorized\n                                                                                       VA wireless access\n                                                                                       points use a standard\n                                                                                       wireless network\n                                                                                       configuration.\n\n                                                                                       Potential rogue access\n                                                                                       points continued to be\n                                                                                       identified during\n                                                                                       FY 2012 FISMA\n                                                                                       testing.\n\n\n\n\nVA Office of Inspector General                                                                              25\n\x0c                                                                            VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\n\n                          Table. Status of Prior Year Recommendations\n                                                         Status\n                                                                       Estimated\n Number                Recommendation                (In Progress or                  Corrective Actions\n                                                                       Completion\n                                                         Closed)\nFY 2006\xe2\x80\x9309    We recommend the Assistant            In Progress        September    VA is developing and\n              Secretary for Information and                            2013         integrating multiple\n              Technology identify and deploy                                        technologies across the\n              solutions to encrypt sensitive data                                   enterprise to encrypt\n              and resolve clear text protocol                                       sensitive data, both at\n              vulnerabilities.                                                      rest and in transit. The\n                                                                                    technologies include:\n\n                                                                                    \xe2\x80\xa2 Deploy Sanctuary\n                                                                                      across the enterprise\n                                                                                      to ensure only\n                                                                                      authorized, encrypted\n                                                                                      Universal Serial Bus\n                                                                                      devices are in use.\n\n                                                                                    \xe2\x80\xa2 Deploy laptop and\n                                                                                      desktop encryption.\n\n                                                                                    \xe2\x80\xa2 Deploy Data\n                                                                                      Transmission/\n                                                                                      Attachmate to safely\n                                                                                      host information on\n                                                                                      the Web.\n\n                                                                                    VA\xe2\x80\x99s \xe2\x80\x9cVisibility to\n                                                                                    Everything\xe2\x80\x9d (Server\n                                                                                    and Desktop) program\n                                                                                    verifies deployment of\n                                                                                    the above technologies\n                                                                                    and allows the\n                                                                                    Department to\n                                                                                    remediate identified\n                                                                                    deficiencies.\n\n                                                                                    Clear text protocol\n                                                                                    vulnerabilities\n                                                                                    continued to be\n                                                                                    identified during our\n                                                                                    FY 2012 FISMA\n                                                                                    testing.\n\nFY 2006\xe2\x80\x9313    We recommend the Assistant            Closed             Not\n              Secretary for Information and                            Applicable\n              Technology complete the               Superceded by\n              implementation of two-factor          recommendation\n              authentication in accordance with     FY 2012\xe2\x80\x9311.\n              NIST Special Publication 800-53.\n\n\n\n\nVA Office of Inspector General                                                                              26\n\x0c                                                                 VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\nAppendix B          Background\n\n                    On December 17, 2002, then-President George W. Bush signed FISMA\n                    into law, reauthorizing key sections of the Government Information\n                    Security Reform Act. FISMA provides a comprehensive framework for\n                    ensuring effective security controls over information resources\n                    supporting Federal operations and assets. FISMA also provides a\n                    mechanism for improved oversight of Federal agency information\n                    security programs.\n\n                    FISMA requires each Federal agency to develop, document, and\n                    implement an agency-wide security program. VA\xe2\x80\x99s security program\n                    should protect the information systems that support the operations,\n                    including those provided or managed by another agency, contractor, or\n                    other source. As specified in FISMA, agency heads are responsible for\n                    conducting annual evaluations of information security programs and\n                    practices.\n\n                    FISMA also requires agency Inspectors General to assess the\n                    effectiveness of agency information security programs and practices.\n                    Guidance has been issued by OMB in both circulars and memoranda and\n                    by NIST in its 800 series of special publications supporting FISMA\n                    implementation covering significant aspects of the law. In addition,\n                    Federal Information Processing Standards have been issued to establish\n                    agency baseline security requirements.\n\n                    OMB and DHS provide instructions to Federal agencies and Inspectors\n                    Generals for preparing annual FISMA reports. In September 2012, OMB\n                    issued Memorandum M-12-20, FY 2012 Reporting Instructions for the\n                    Federal Information Security Management Act and Agency Privacy\n                    Management. Federal agencies are to focus on implementing the\n                    Administration\xe2\x80\x99s three cybersecurity priorities established in FY 2012:\n                    (1) Continuous Monitoring, (2) Trusted Internet Connection capabilities\n                    and traffic consolidation, and (3) strong authentication using Personal\n                    Identity Verification cards for logical access. The FY 2012 FISMA\n                    metrics issued by DHS established minimum and target levels of\n                    performance for these priorities, as well as metrics for other key\n                    performance areas. To comply with the reporting requirements, agencies\n                    must carry out the following activities.\n\n                    \xef\x82\xb7\t Chief Information Officers will submit monthly data feeds through\n                       CyberScope, the FISMA reporting application. Agencies must\n                       upload data from their automated security management tools into\n                       CyberScope on a monthly basis for a specified number of data\n                       elements.\n\n\n\nVA Office of Inspector General                                                            27\n\x0c                                                                   VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\n                    \xef\x82\xb7\t Agencies must respond to security posture questions on a\n                       quarterly/annual basis. These questions address areas of risk and are\n                       designed to assess the implementation of security capabilities and\n                       measure their effectiveness.\n                    \xef\x82\xb7\t The Chief Information Officers must report to DHS on a quarterly\n                       basis, and Inspectors General and Senior Agency Officials for Privacy\n                       must report to DHS on an annual basis.\n                    \xef\x82\xb7\t Agencies must participate in CyberStat accountability sessions and\n                       agency interviews conducted by DHS, OMB, and the White House\n                       National Security Staff.\n                    DHS reporting instructions also focus on performance metrics related to\n                    key control activities, such as developing a complete inventory of major\n                    information systems, providing security training to personnel, testing and\n                    evaluating security controls, and testing continuity plans. The OIG\n                    contracted with the independent accounting firm CliftonLarsonAllen LLP\n                    to conduct the annual FISMA audit for FY 2012. The OIG provided\n                    oversight of the contractor\xe2\x80\x99s performance.\n\n\n\n\nVA Office of Inspector General                                                              28\n\x0c                                                                  VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\nAppendix C \t Scope and Methodology\n\n                    The FISMA audit determines the extent to which VA\xe2\x80\x99s information\n                    security program complies with FISMA requirements and relevant\n                    guidelines. The audit team considered Federal Information Processing\n                    Standards and NIST guidance during its audit. Audit procedures\n                    included reviewing policies and procedures, interviewing employees,\n                    reviewing and analyzing records, and reviewing supporting\n                    documentation. The VA OIG provided oversight of the audit team\xe2\x80\x99s\n                    performance.\n\n                    This year\xe2\x80\x99s work included evaluation of 81 selected major applications\n                    and general support systems hosted at 22 VA facilities to support\n                    Veterans Health Administration, Veterans Benefit Administration, and\n                    National Cemetery Administration lines of business. The audit teams\n                    performed vulnerability tests and evaluated management, operational,\n                    technical, and application controls supporting major applications and\n                    general support systems.\n\n                    In connection with the audit of VA\xe2\x80\x99s FY 2012 consolidated financial\n                    statements, CliftonLarsonAllen LLP evaluated general computer and\n                    application controls of VA\xe2\x80\x99s major financial management systems,\n                    following the Government Accountability Office\xe2\x80\x99s Federal Information\n                    System Controls Audit Manual methodology. Significant financial\n                    systems deficiencies identified during CliftonLarsonAllen\xe2\x80\x99s evaluation\n                    are included in this report.\n\nSite Selections \t   In selecting VA facilities for testing, the audit teams considered the\n                    geographic region, size, and complexity of each hosting facility, as well\n                    as the criticality of systems hosted at the facility. Sites selected for\n                    testing included:\n\n                    \xef\x82\xb7   Information Technology Center\xe2\x80\x94Austin, TX\n                    \xef\x82\xb7   VA Medical Facility\xe2\x80\x94Birmingham, AL\n                    \xef\x82\xb7   VA Medical Facility\xe2\x80\x94Chillicothe, OH\n                    \xef\x82\xb7   VA Medical Facility\xe2\x80\x94Columbia, SC\n                    \xef\x82\xb7   Capitol Region Data Center\xe2\x80\x94Falling Waters, WV\n                    \xef\x82\xb7   Information Technology Center\xe2\x80\x94Hines, IL\n                    \xef\x82\xb7   VA Medical Facility\xe2\x80\x94Lexington, KY\n                    \xef\x82\xb7   VA Medical Facility\xe2\x80\x94Loma Linda, CA\n                    \xef\x82\xb7   Capitol Regional Readiness Center\xe2\x80\x94Martinsburg, WV\n                    \xef\x82\xb7   VA Medical Facility\xe2\x80\x94Memphis, TN\n\nVA Office of Inspector General                                                             29\n\x0c                                                                  VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\n                    \xef\x82\xb7   Information Technology Center\xe2\x80\x94Philadelphia, PA\n                    \xef\x82\xb7   VA Insurance Center\xe2\x80\x94Philadelphia, PA\n                    \xef\x82\xb7   VA Regional Office\xe2\x80\x94Philadelphia, PA\n                    \xef\x82\xb7   Bank of America Contractor-Managed Facility\xe2\x80\x94Plano, TX\n                    \xef\x82\xb7   National Cemetery Administration\xe2\x80\x94Quantico, VA\n                    \xef\x82\xb7   VA Medical Facility\xe2\x80\x94Salt Lake City, UT\n                    \xef\x82\xb7   VA Regional Office\xe2\x80\x94Salt Lake City, UT\n                    \xef\x82\xb7   VA Central Office\xe2\x80\x94Washington, DC\n                    \xef\x82\xb7   VA Medical Facility\xe2\x80\x94Washington, DC\n                    \xef\x82\xb7   National Capital Region Benefits Office\xe2\x80\x94Washington, DC\n                    \xef\x82\xb7   VA Medical Facility\xe2\x80\x94West Palm Beach, FL\n                    \xef\x82\xb7   VA Medical Facility\xe2\x80\x94White River Junction, VT\n\n                    Vulnerability assessment procedures used automated scanning tools and\n                    validation procedures to identify high-risk common security\n                    vulnerabilities affecting mission-critical systems.          In addition,\n                    vulnerability tests evaluated selected servers and work stations residing\n                    on the network infrastructure; databases hosting major applications; Web\n                    application servers providing Internet and Intranet services; and network\n                    devices, including wireless connections.\n\nGovernment          The FISMA audit was conducted in compliance with Government\nAudit               Auditing Standards, July 2007 Revision, issued by the Comptroller\nStandards\n                    General of the United States. The teams conducted their evaluations\n                    from April through September 2012. Standards for Performance Audits\n                    are applicable for this engagement. These standards require the teams\n                    plan and perform the audit to obtain sufficient, appropriate evidence to\n                    provide a reasonable basis for findings and conclusions based on the\n                    audit objectives. The evidence obtained provides a reasonable basis for\n                    the findings and conclusions based on the audit objective.\n\n\n\n\nVA Office of Inspector General                                                             30\n\x0c                                                                              VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\nAppendix D                Acting Assistant Secretary for Information and\n                          Technology Comments\n\n\n                  Department of\n                  Veterans Affairs\n                                                                Memorandum\n          Date:\t          May 30, 2013\n\n          From:\t          Acting Assistant Secretary for Information and Technology (005)\n\n          Subj:\t          Draft Audit Report: Federal Information Security Management Act (FISMA)\n                          Assessment for FY 2012\n\n            To:           Assistant Inspector General for Audits and Evaluations (52CT)\n\n                   1. \t   Thank you for the opportunity to review the subject draft audit report. The\n                          Office of Information and Technology concurs and submits the attached\n                          detailed comments to the report\xe2\x80\x99s 32 recommendations.\n\n                   2. \t   VA treats the protection of Veteran data very seriously. Toward that end,\n                          VA has embarked on a cultural transformation with implementation of the\n                          Continuous Readiness in Information Security Program (CRISP). CRISP is\n                          the new operating model for protecting our Veterans private and sensitive\n                          information. The program embodies an integrated approach to protecting\n                          sensitive information from inappropriate exposure or loss. Its framework\n                          depends on broad support to achieve many near-term goals in this fiscal\n                          cycle.\n\n                   3. \t   We appreciate your time and attention to our information security program.\n                          If you have any questions, contact me at 202-461-6910 or have a member\n                          of your staff contact Gary Stevens, Director, Office of Cyber Security, at\n                          202-632-7538.\n\n                          (original signed by:)\n\n                          Stephen W. Warren\n\n                          Attachment\n\n\n\n\nVA Office of Inspector General                                                                          31\n\x0c                                                                     VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\n                          Office of Information and Technology \n\n                            Comments to Draft OIG Report,\n\n            \xe2\x80\x9cFederal Information Security Management Act Audit for FY 2012\xe2\x80\x9d \n\n                       OIG Recommendations and OIT Responses: \n\n\nRecommendation 1: We recommend the Acting Assistant Secretary for Information and\nTechnology fully develop and implement an agency-wide risk management governance\nstructure, along with mechanisms to identify, monitor, and manage risks across the enterprise.\n(This is a repeat recommendation from last year.)\n\nOIT Response: Concur. The Office of Information Technology (OIT) has established an\nEnterprise Risk Management (ERM) organization that manages risks that are applicable to the\nOIT enterprise. Within ERM, the Risk Assessment and Mitigation (RAM) office has an IT\nSecurity and Compliance Risk Division that is focused on the assessment and mitigation of\ninformation security risks that meet the organization's definition of enterprise-level risk. The\nOffice of Information Security (OIS) also has a Risk Management office that addresses\ninformation security risks that do not rise to the level of OIT enterprise risks.\n\nOIT has also procured a Governance, Risk, and Compliance (GRC) tool and is currently\nimplementing the product to facilitate the automated collection of certain risk management\ninformation. The GRC tool will be VA\xe2\x80\x99s sole repository capable of tracking the real-time\nsecurity posture of the VA\xe2\x80\x99s IT systems, by exploiting existing IT monitoring and tracking tools,\nsuch as Tivoli End-Point Manager (TEM), SolarWinds, NESSUS, to extract, in real-time, up to\n54 NIST controls, while capturing the remaining controls via automated workflows. The result\nis a more comprehensive understanding of the security posture of the VA far exceeding any past\ncapabilities.\n\nTarget Completion Date: August 31, 2013\n\nRecommendation 2: We recommend the Acting Assistant Secretary for Information and\nTechnology implement mechanisms to ensure sufficient supporting documentation is captured in\nthe central database to justify closure of Plans of Action and Milestones. (This is a repeat\nrecommendation from last year.)\n\nOIT Response: Concur. The Assistant Secretary for Information and Technology has\nimplemented an interim solution, consisting of quarterly Plans of Action and Milestone (POAM)\nreviews as well as an external quality assurance assessment to ensure accurate supporting\ndocumentation for POAM closure. However, upon completion of the GRC tool, automatic\nprocesses are integrated into the framework, ensuring accuracy POAM closure justification is\nincluded in a centralized database.\n\nTarget Completion Date: August 31, 2013\n\nRecommendation 3: We recommend the Acting Assistant Secretary for Information and\nTechnology define and implement clear roles and responsibilities for developing, maintaining,\ncompleting, and reporting Plans of Action and Milestones. (This is a repeat recommendation\nfrom last year.)\n\n\nVA Office of Inspector General                                                                32\n\x0c                                                                    VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\nOIT Response: Concur. In tandem with the implementation of the GRC tool, VA has defined\nand implemented clear roles and responsibilities for the development, maintenance completion\nand reporting of all POAMs.\n\nTarget Completion Date: August 31, 2013 (tied to the implementation of the GRC tool)\n\nRecommendation 4: We recommend the Acting Assistant Secretary for Information and\nTechnology implement mechanisms to ensure Plans of Action and Milestones are updated to\naccurately reflect current status information. (This is a repeat recommendation from last year.)\n\nOIT Response: Concur. With the implementation of the GRC tool which consists of\ncontinuous monitoring capabilities and automated vulnerability and configuration feeds, POAMs\nwill be more accurately reflective of current status information.\n\nTarget Completion Date: August 31, 2013 (tied to the implementation of the GRC tool)\n\nRecommendation 5: We recommend the Acting Assistant Secretary for Information and\nTechnology develop mechanisms to ensure system security plans reflect current operational\nenvironments, including accurate system interconnection and ownership information. (This is a\nrepeat recommendation from last year.)\n\nOIT Response: Concur. VA established the OIT Security Calendar in 2012 which includes the\nannual updates to the System Security Plans. With the implementation of the GRC tool, a new\nmechanism for creating and maintaining system security plans will be established which will\ninclude reflection of ownership and operational environments. Many of the pieces within the\nsystem security plans will be automated, allowing for more accurate information to be\nmaintained. A Continuous Readiness in Information Security Program (CRISP) Management\nFramework has been established to ensure verification and compliance.\n\nTarget Completion Date: March 31, 2014\n\nRecommendation 6: We recommend the Acting Assistant Secretary for Information and\nTechnology implement improved processes for updating key security documents such as risk\nassessments, security impact analyses, and security self assessments on at least an annual basis\nand ensure all required information accurately reflects the current environment and new risks in\naccordance with Federal standards. (This is a new recommendation.)\n\nOIT Response: Concur. As with response to finding #5, new and improved processes for\nmaintaining documentation such as risk assessments, security impact analyses and security self-\nassessments will be phased in consistent with the 3-year implementation plan of the GRC Tool.\nMany of the pieces within the documentation plans will be automated, allowing for more\naccurate information to be maintained. OIT will validate key security documents annually.\n\nTarget Completion Date: August 31, 2013\n\nRecommendation 7: We recommend the Acting Assistant Secretary for Information and\nTechnology implement mechanisms to enforce VA password policies and standards on all\n\n\nVA Office of Inspector General                                                               33\n\x0c                                                                     VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\noperating systems, databases, applications, and network devices. (This is a repeat\nrecommendation from last year.)\n\nOIT Response: Concur. VA has implemented a process for monitoring password policies via\npredictive scans and remediation processes on OIT systems. Minimum requirements are in place\nto enforce VA passwords and standards on newer systems. VA\xe2\x80\x99s monthly predictive scanning\nprocess has drastically improved finding vulnerabilities with Password policies and is\ncontinually improving in this area.\n\nTarget Completion Date: January 31, 2014\n\nRecommendation 8: We recommend the Acting Assistant Secretary for Information and\nTechnology implement periodic access reviews to minimize access by system users with\nincompatible roles, permissions in excess of required functional responsibilities, and\nunauthorized accounts.\n\nOIT Response: Concur. OIT has implemented quarterly reviews of all users with elevated\nprivileges on IT Systems. Additionally, VA conducts semi-annual reviews of user accounts to\nensure system users have the appropriate level of access and segregation of duties.\n\nTarget Completion Date: Complete and closed.\n\nRecommendation 9: We recommend the Acting Assistant Secretary for Information and\nTechnology enable system audit logs and conduct centralized reviews of security violations on\nmission-critical systems. (This is a repeat recommendation from last year.)\n\nOIT Response: Concur. Implementation is currently unfunded in terms of storage and staffing\nwithin the medical center/field operation environment. These tools have been implemented in\nour Data Center and by our Network and Security Operations Center. The installation of the\ndevices for our field locations is contingent on funding in FY 2014.\n\nTarget Completion Date: September 30, 2014 (contingent upon receipt of funds)\n\nRecommendation 10: We recommend the Acting Assistant Secretary for Information and\nTechnology implement mechanisms to ensure all remote access computers have updated security\npatches and antivirus definitions prior to connecting to VA information systems. (This is a repeat\nrecommendation from last year.)\n\nOIT Response: Concur. A workgroup has been established to develop mechanisms to ensure\nall remote access computers have updated security patches and antivirus definitions prior to\nconnecting to VA information systems.\n\nTarget Completion Date: January 31, 2014\n\nRecommendation 11: We recommend the Acting Assistant Secretary for Information and\nTechnology implement two-factor authentication for remote access throughout the agency. (This\nis a new recommendation.)\n\n\nVA Office of Inspector General                                                                 34\n\x0c                                                                       VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\nOIT Response: Concur. All users who require access to VA network resources will be\nrequired to utilize Two-Factor Authentication (2FA) for secure remote access by September 30,\n2013.\n\nTarget Completion Date: September 30, 2013\n\nRecommendation 12: We recommend the Acting Assistant Secretary for Information and\nTechnology implement effective automated mechanisms to continuously identify and remediate\nsecurity deficiencies on VA\xe2\x80\x99s network infrastructure, database platforms, and Web application\nservers. (This is a modified repeat recommendation from last year.)\n\nOIT Response: Concur. VA has implemented predictive scanning beginning February 2013.\nThis scanning allows for the identification of vulnerabilities, remediation of those vulnerabilities\nand compliance monitoring. Security Incident and Event Management (SIEM) Procurement by\nthe NSOC is scheduled for FY14.\n\nTarget Completion Date: September 30, 2014\n\nRecommendation 13: We recommend the Acting Assistant Secretary for Information and\nTechnology implement a patch and vulnerability management program to address security\ndeficiencies identified during our assessments of VA\xe2\x80\x99s Web applications, database platforms,\nnetwork infrastructure, and work stations. (This is a modified repeat recommendation from last\nyear.)\n\nOIT Response: Concur. VA implemented predictive scanning beginning February of 2013.\nThis scanning allows for the identification of vulnerabilities, remediation of those vulnerabilities\nand compliance monitoring. A Security Management and Analytics office has been established\nand will continue to staff through September 2013 to monitor security deficiencies identified\nduring our assessments of VA\xe2\x80\x99s Web applications, database platforms, network infrastructure,\nand work stations. Within Enterprise Operations, a consistent program for identifying and\nremediating vulnerabilities has been in place for several years.\n\nTarget Completion Date: June 30, 2013\n\nRecommendation 14: We recommend the Acting Assistant Secretary for Information and\nTechnology implement standard security configuration baselines for all VA operating systems,\ndatabases, applications, and network devices. (This is a repeat recommendation from last year.)\n\nOIT Response: Concur. Baselines have been developed for enterprise level operating systems\nand platforms. Additional baselines are needed as new technology enters the environment. An\nintake process for this has been created and workflows/processes developed for this function.\nKnown needed baselines include printers, thin clients, and SQL databases. These are being\ndeveloped and will be completed by the target date.\n\nTarget Completion Date: September 30, 2013\n\nRecommendation 15: We recommend the Acting Assistant Secretary for Information and\nTechnology implement procedures to enforce a system development and change control\n\nVA Office of Inspector General                                                                   35\n\x0c                                                                       VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\nframework that integrates information security throughout the life cycle of each system. (This is\na repeat recommendation from last year.)\n\nOIT Response: Concur. VA has implemented the Project Management Accountability System\n(PMAS) process and additional processes to address and enforce a system development and\nchange control framework that integrates information security throughout the life cycle of each\nsystem. The Office of Cyber Security is in the process of coordinating with the relevant program\noffices to identify potential opportunities to inject security within the system development and\nchange control framework.\n\nTarget Completion Date: September 30, 2014\n\nRecommendation 16: We recommend the Acting Assistant Secretary for Information and\nTechnology implement processes to ensure information system contingency plans are updated\nwith the required information and lessons learned are communicated to senior management.\n(This is a modified repeat recommendation from last year.)\n\nOIT Response: Concur. Lessons learned were incorporated into the annual security calendar.\nA complete redesign was completed of the IS Contingency and Disaster Recovery\ndocumentation and testing processes in 2012. This redesign included the updating of required\nafter action reports and lessons learned from Contingency and Disaster recovery testing.\n\nTarget Completion Date: September 30, 2013\n\nRecommendation 17: We recommend the Acting Assistant Secretary for Information and\nTechnology develop and implement a process for ensuring the encryption of backup data prior to\ntransferring the data offsite. (This is a new recommendation.)\n\nOIT Response: Concur. VA has identified the issue of backup tape encryption as a\nvulnerability. The Assistant Secretary for Information Technology has deferred a decision to\nensure the encryption of backup tape data through a Risk Based Decision (RBD). This national\nRBD identifies mitigating controls to compensate the lack of backup tape encryption and will be\nfurther documented in local security documentation for systems that do not support backup tape\nencryption.\n\nTarget Completion Date: Completed\n\nRecommendation 18: We recommend the Acting Assistant Secretary for Information and\nTechnology ensure that agreements for alternate processing sites have been established that\ndefine the roles and responsibilities for alternate locations in the event of a disaster. (This is a\nnew recommendation.)\n\nOIT Response: Concur. Region level alternate processing site agreements that define the roles\nand responsibilities for alternate locations are in development.\n\nTarget Completion Date: June 30, 2013\n\n\n\nVA Office of Inspector General                                                                   36\n\x0c                                                                    VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\nRecommendation 19: We recommend the Acting Assistant Secretary for Information and\nTechnology fully implement an automated 24-hour security event and incident correlation\nsolution to monitor security for all systems interconnections, database security events, and\nmission-critical platforms supporting VA programs and operations. (This is a modified repeat\nrecommendation from last year.)\n\nOIT Response: Concur. Security Information & Event Management (SIEM) Procurement by\nthe NSOC is scheduled for FY14.\n\nTarget Completion Date: September 30, 2014\n\nRecommendation 20: We recommend the Acting Assistant Secretary for Information and\nTechnology identify all external network interconnections and ensure appropriate\nInterconnection Security Agreements and Memoranda of Understanding are in place to govern\nthem. (This is a repeat recommendation from last year.)\n\nOIT Response: Concur. All Memoranda of Understanding (MOU) and Interconnection\nSecurity Agreements (ISA) for known external network connections are currently under review\n(as part of OIT\xe2\x80\x99s annual review) and will be established or updated to reflect operational\nenvironments. As part of this effort, OIT issued a data call to report and document instances of\nair-gapped networks. OIT has documented these known connections (a new requirement) and\nhas also published guidance on this subject.\n\nTarget Completion Date: September 30, 2013\n\nRecommendation 21: We recommend the Acting Assistant Secretary for Information and\nTechnology implement more effective agency-wide incident response procedures to ensure\ntimely resolution of computer security incidents in accordance with VA set standards. (This is a\nmodified repeat recommendation.)\n\nOIT Response: Concur. VA has segregated the Network Security Operations Center into\ncommunications and cyber response components to allow more efficient and effective agency\nwide cyber incident response in order to ensure timely resolution of computer security incidents\nin accordance with VA set standards. Additional implementation involves a ticket escalation\nprocess to ensure that computer security events are being addressed timely.\n\nTarget Completion Date: September 30, 2013\n\nRecommendation 22: We recommend the Acting Assistant Secretary for Information and\nTechnology implement effective continuous monitoring processes to identify and prevent the use\nof unauthorized application software, hardware (including personal storage devices), and system\nconfigurations on its networks. (This is a repeat recommendation from last year.)\n\nOIT Response: Concur. VA utilizes many tools such as Intrusion Protection System, Firewalls,\nWireless Access Firewall, Tivoli Endpoint Management (Big Fix), anti-virus and Sanctuary to\ndetect the presence and use of unauthorized software and hardware. The only item left to\nproactively monitor, prevent installation and remove unauthorized software is in development.\nThe effort to design the solution is underway.\n\nVA Office of Inspector General                                                               37\n\x0c                                                                     VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\nTarget Completion Date: September 30, 2014\n\nRecommendation 23: We recommend the Acting Assistant Secretary for Information and\nTechnology develop a comprehensive software inventory process to identify major and minor\nsoftware applications used to support VA programs and operations. (This is a repeat\nrecommendation from last year.)\n\nOIT Response: Concur. VA has several tools such as Tivoli Endpoint Manager, Microsoft\xe2\x80\x99s\nSystem Center Configuration Manager and Orion, which when fully deployed will identify\nmajor and minor software applications.\n\nTarget Completion Date: December 30, 2013\n\nRecommendation 24: We recommend the Acting Assistant Secretary for Information and\nTechnology develop procedures to integrate information security costs into the capital planning\nprocess while ensuring traceability of Plans of Action and Milestones remediation costs to\nappropriate capital planning budget documents. (This is a repeat recommendation from last\nyear.)\n\nOIT Response: Concur. Target Completion Date: August 30, 2013\n\nRecommendation 25: We recommend the Acting Assistant Secretary for Information and\nTechnology implement procedures for overseeing contractor managed systems and ensuring\ninformation security controls adequately protect VA sensitive systems and data. (This is a repeat\nrecommendation from last year.)\n\nOIT Response: Concur. VA 6500.6 provides guidance regarding oversight of contractor\nmanaged systems. Consistent with this policy, VA requires managed service providers to\ncomply with these standards, inclusive of supporting on site Security Controls Assessments\n(SCAs) and allowing routine compliance monitoring by the NSOC. OIT will work the TAC to\nensure appropriate language is included in all OIT contracts.\n\nTarget Completion Date: Completed\n\nRecommendation 26: We recommend the Acting Assistant Secretary for Information and\nTechnology implement mechanisms for updating the Federal Information Security Management\nAct systems inventory, including interfaces with contractor-managed systems, and annually\nreview the systems inventory for accuracy. (This is a repeat recommendation from last year.)\n\nOIT Response: Concur. The VA is continuing to improve efforts towards obtaining a 100%\naccuracy of its FISMA systems. At present, Tivoli Endpoint Manager is present on 95% of the\nDepartment\xe2\x80\x99s servers and desktops. Further, Solarwinds is on an equivalent percentage of the\nnetwork devices. Excluded systems and devices defined as other, are being reviewed to\ndetermine the appropriate steps required to complete the inventory. OIT will put in place a\nprocess to annually review the inventory for accuracy.\n\nTarget Completion Date: September 30, 2013\n\n\nVA Office of Inspector General                                                                38\n\x0c                                                                     VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\nRecommendation 27: We recommend the Acting Assistant Secretary for Information and\nTechnology implement mechanisms to ensure all users with VA network access participate in\nand complete required VA-sponsored security awareness training. (This is a modified repeat\nrecommendation from last year.)\n\nOIT Response: Concur. VA Deputy Secretary signed the CRISP Sustainment memo (VAIQ\n7227211) that required all users of VA Computer systems and sensitive information be enrolled\nin the Talent Management System (TMS) by March 31, 2013. VA has maintained better than\n97.6% compliance for Information Security Training.\n\nTarget Completion Date: Complete and Closed\n\nRecommendation FY 2010\xe2\x80\x9321: We recommend the Assistant Secretary for Information and\nTechnology develop mechanisms to ensure risk assessments accurately reflect the current\ncontrol environment, compensating controls, and the characteristics of the relevant VA facilities.\n\nOIT Response - Status of Corrective Actions: With the implementation of the GRC Tool,\nnew and improved processes for maintaining documentation such as risk assessments are being\nestablished. A percentage of the controls for each VA Information System (primarily those in the\ntechnical control family) will be monitored automatically and continuously, allowing for more\naccurate, complete, and timely information to be maintained. The GRC Tool will greatly\nimprove the efficiency with which some controls are assessed, facilitating more timely risk\nmanagement decision-making and enabling ongoing authorizations to operate. OIT is continuing\nto develop and refine an Information Security Continuous Monitoring (ISCM) program. OIT\xe2\x80\x99s\nISCM program will not only address which controls will be monitored continuously via the GRC\nTool, but will also include plans to periodically assess the remaining controls that cannot be\nautomated and must continue to be assessed manually. Additionally, ERM will develop a\nprogram to periodically assess the automated tools providing input to the GRC Tool to ensure\nthey are providing accurate and complete information.\n\nTarget Completion Date: September 30, 2013\n\nRecommendation FY 2006\xe2\x80\x9303: We recommend the Assistant Secretary for Information and\nTechnology review and update all applicable position descriptions to better describe sensitivity\nratings and better document employee personnel records and contractor files, including \xe2\x80\x9cRules\nof Behavior\xe2\x80\x9d instructions, annual privacy and Health Insurance Portability and Accountability\nAct of 1996 training certifications, and position sensitivity level designations.\n\nOIT Response - Status of Corrective Actions: The office responsible for this activity is the\nOffice of Human Resources and Administration. The Assistant Secretary for Information\nTechnology is actively partnering with the Office of Operations, Security and Preparedness and\nthe Office of Human Resources and Administration to remediate this finding.\n\nTarget Completion Date: January 31, 2014\n\nRecommendation FY 2006\xe2\x80\x9304: We recommend the Assistant Secretary for Information and\nTechnology ensure appropriate levels of background investigations be completed for all\napplicable VA employees and contractors in a timely manner, implement processes to monitor\n\nVA Office of Inspector General                                                                 39\n\x0c                                                                    VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\nand ensure timely reinvestigations on all applicable employees and contractors, and monitor the\nstatus of the requested investigations.\n\nOIT Response - Status of Corrective Actions: The office responsible for this activity is the\nOffice of Operations, Security and Preparedness. The Assistant Secretary for Information\nTechnology is partnering with the Office of Operations, Security and Preparedness and the\nOffice of Human Resources and Administration to remediate this finding.\n\nTarget Completion Date: September 30, 2014\n\nRecommendation FY 2006\xe2\x80\x9308: We recommend the Assistant Secretary for Information and\nTechnology reduce wireless security vulnerabilities by ensuring sites have an effective and up-\nto-date methodology to protect against the interception of wireless signals and unauthorized\naccess to the network and ensure the wireless network is segmented and protected from the\nwired network.\n\nOIT Response - Status of Corrective Actions: 50% of VA\xe2\x80\x99s wireless infrastructure has been\nupgraded to meet this requirement. The remaining 50% of the wireless enterprise is an unfunded\nbut scheduled for funding in FY14.\n\nTarget Completion Date: September 30, 2014\n\nRecommendation FY 2006\xe2\x80\x9309: We recommend the Assistant Secretary for Information and\nTechnology identify and deploy solutions to encrypt sensitive data and resolve clear text\nprotocol vulnerabilities.\n\nOIT Response - Status of Corrective Actions: VA is in the process of encrypting Desktops\nand Mobile Devices. Additional actions are under way to restrict the use of clear text protocols\nsuch as telnet and FTP.\n\nTarget Completion Date: September 30, 2013\n\n\n\n\nVA Office of Inspector General                                                               40\n\x0c                                                            VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\nAppendix E          Office of Inspector General Contact and Staff\n                    Acknowledgements\n\n                      OIG Contact \t      For more information about this report, please\n                                         contact the Office of Inspector General at\n                                         (202) 461-4720.\n\n                      Acknowledgments    Michael Bowman, Director\n                                         Carol Buzolich\n                                         Elijah Chapman\n                                         Neil Packard\n                                         Richard Purifoy\n                                         Felita Traynham\n\n\n\n\nVA Office of Inspector General                                                       41\n\x0c                                                                    VA\xe2\x80\x99s FISMA Audit for FY 2012\n\n\nAppendix F          Report Distribution\n\n                    VA Distribution\n\n                    Office of the Secretary\n                    Veterans Health Administration\n                    Veterans Benefits Administration\n                    National Cemetery Administration\n                    Assistant Secretaries\n                    Office of General Counsel\n\n                    Non-VA Distribution\n\n                    House Committee on Veterans\xe2\x80\x99 Affairs \n\n                    House Appropriations Subcommittee on Military Construction, \n\n                     Veterans Affairs, and Related Agencies\n                    House Committee on Oversight and Government Reform\n                    Senate Committee on Veterans\xe2\x80\x99 Affairs\n                    Senate Appropriations Subcommittee on Military Construction,\n                     Veterans Affairs and Related Agencies\n                    Senate Committee on Homeland Security and Governmental Affairs\n                    Government Accountability Office\n                    Office of Management and Budget\n                    Department of Homeland Security\n\n\n\n\n                    This report is available on our Web site at www.va.gov/oig.\n\n\n\n\nVA Office of Inspector General                                                               42\n\x0c"